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Abstract. Due to implementation constraints the XOR operation is 
widely used in order to combine plaintext and key bit-strings in secret- 
key block ciphers. This choice directly induces the classical version of 
the differential attack by the use of XOR-kind differences. While very 
natural, there are many alternatives to the XOR. Each of them inducing 
a new form for its corresponding differential attack (using the appropriate 
notion of difference) and therefore block-ciphers need to use S-boxes that 
are resistant against these nonstandard differential cryptanalysis. In this 
contribution we study the functions that offer the best resistance against 
a differential attack based on a finite field multiplication. We also show 
that in some particular cases, there are robust permutations which offers 
the best resistant against both multiplication and exponentiation based 
differential attacks. We call them doubly perfect nonlinear permutations. 
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1 Introduction 

Shannon has introduced in [13] the notions of diffusion and confusion which have 
been mainly accepted and successfully used by cryptologists as guidelines in their 
work to design secret-key ciphers. These notions accurately set up a category 
of "nice" cryptographic objects namely the iterative block-ciphers such as the 
Data and Advanced Encryption Standards (see [3,4]). Such an algorithm works 
as an iteration of a certain procedure called the round function. This functions 
is made in two pieces, a linear and a nonlinear parts, whose roles are to satisfy 
Shannon's diffusion and confusion. Diffusion refers to a sensitivity to the initial 
conditions: a small deviation in the input should cause a large change at the 
output. The linear part of the round- function is devoted to provide a good level 
of diffusion. The goal of confusion is to hide the algebraic relations between the 
plaintext and the secret-key in order to make harder the statistical attacks. This 
is exactly the role assumed by the nonlinear part, also called S-boxes. One of the 
major attacks for which the S-boxes should be highly resistant is the differential 
cryptanalysis [1] or its "dual" counter-part the linear attack [5]. The differen- 
tial cryptanalysis is intrinsically related to the fashion the plaintexts and the 
round-keys are combined at each step. As to interlock plaintexts with keys, the 
XOR or component-wise modulo-two sum (or the addition in characteristic 2) is 
usually chosen because of its implementation efficient nature. A block-cipher is 



then vulnerable to the differential attack if there is a nonzciro XOR difference of 
two plaintexts such that the difference in output is statistically distinguishable 
from a random variable that follows a (discrete) uniform law. The S-boxes that 
offer the best resistance against such an attack are the perfect nonlinear func- 
tions [7]. As very particular combinatorial objects, perfect nonlinear functions 
do not exist in every configurations. For instance if one works in finite elemen- 
tary Abelian 2-groups, which in practice is usually the case, precisely because 
of the involutive nature of the addition, perfect nonlinear permutations can not 
exist. Since, yet in practice the plaintexts and ciphertexts have the same length, 
we can not use perfect nonlinear permutations as S-boxes. So in many cases 
block-ciphers exploit suboptimally differentially resistant fimctions, such as al- 
most perfect nonlinear [6] or even differentially A-uniform [8] functions. 
We make two simple observations. We have seen above that by nature, the XOR 
prohibits the existence of perfect nonlinear permutations. Moreover apart from 
the XOR operation, the combination law of plaintexts and keys can take many 
forms. While rcially cifficient by nature the XOR is a vciry specific case of group 
action and it could be interesting to use another one. Roughly speaking (more 
details are given in subsection 2.2) a group action is nothing but a particular 
external operation of a group on a set (as the scalar multiplication of vectors) . 
The set in question is the collection of all the possible plaintexts. The set of 
(round) keys is endowed with a group structure and operates on the messages. 
Such a very general block-cipher could be vulnerable to a modified differential 
attack which should be no more related to the XOR differences but to the ap- 
propriate group action differences. In [12] is presented the algorithm of a such 
an attack. Therefore the determination of the best resistant S-boxes or in other 
terms the adapted concept of perfect nonlinear functions, is needed. The theo- 
retic description of such functions covers the following contributions [9-11] and 
the most important definitions and relevant results upon them are recalled in 
section 2. 

We earlier say that altough natural, the XOR is not the only way to combine 
bit-strings. In the finite field setting the multiplication also may be used. The 
S-boxes that maximally resist against a differential attack based on the multi- 
plication rather than the addition are called multiplicatively perfect nonlinear 
functions and in this paper we prove the existence of permutations with such 
a cryptographic property in many situations (and in most cases than classical 
perfect nonlinear functions). In addition, in some very particular cases, the mul- 
tiplicative group K* of a finite field IK in characteristic two can be equipped 
with another multiplication, which is distributive on the classical one. With this 
second multiplication (which is merely an exponentiation), TK* turns to be a 
finite field itself (but no more of characteristic two). This paper has as its major 
goal the construction of Boolean permutations over IK which are perfect nonlin- 
ear with respect to both multiplications of the new field. They are called doubly 
perfect nonlinear Boolean perm,utations and can be seen as relevant alternatives 
to the use of almost perfect nonlinear permutations. 



2 Classical and generalized situations 



2.1 Notations and conventions 

In this contribution the term function has the same meaning as the expression 
total function. If X is a finite set then \X\ is its cardinality and Idx its identity 
map. For f : X ^ Y and y E Y wc define as usually the fibre f^^{{y}) = 
{x e X\f{x) = y}. For a additive group (G, +,0) (resp. a multiplicative group 
(G, .,1)) we define G* = G \ {0} (resp. G* = G \ {1}). For a unitary ring 
(i?,+,0, ., 1) we have i?* = R\{0} and R** = R*\{1} = R\{0,1}. Moreover the 
group of units of R {i.e. the group of invertible elements of the ring) is denoted 
U{R) and obviously U{R)* = U{R) \ {!}. In order to simplify the notations 
we sometimes identify a group (or a ring) with its underlying set. The ring of 
integers modulo n is denoted (Z„, +, 0, ., 1) and its underlying set is identified 
with the particular system of representatives of residue classes {0, 1, . . . , n — 1}. 
The finite field of characterisitic p with p™ elements is denoted GF(p'"). A prime 
field GF{p) is identified with 2p and therefore with {0,1,.. — 1}. Finally 
Aut{G) denotes the set of all group automorphisms of a group G. 

2.2 Group actions 

Essential to everything that we shall discuss in this paper is the notion of group 

actions. 

Let G be a group and X a nonempty set. We say that G acts on X if there is a 
group homomorphism (j) : G ^ ^{^)^ where S{X) is the group of permutations 
over X. Usually for {g, x) gG x X, we use the following convenient notation 

g.x := (l){g){x) (1) 

and so we hide any explicit reference to the morphism (j). An action is called 
faithful if the corresponding homomorphism <j) is one-to-one. It is called regular 
if for each (x, y) £ X^ there is one and only one g & G such that g.x = y. A 
regular action is also faithful. 

Example 1. 

— A group G acts on itself by (left) translation: g.x := gx for [g, x) £ G^ (G is 
here written multiplicatively) . This action is regular; 

— A subgroup _ff of a group G also acts on G by translation: h.x := hx for 
{h, x) € H X G. This action is faithful and if is a proper subgroup, then 
the action is not regular; 

— The multiplicative group IK* of a field K acts on K by the multiplication 
law of the group. This action is faithful but not regular since is fixed by 
every elements of K*. More generally the action of JK* on a K- vector space 
by scalar multiplication is also a faithful action (in this case the null vector 
is fixed by any scalar multiplication). 



2.3 Group action perfect nonlinearity 



Let X and Y be two finite nonempty sets. A function / is called balanced if for 
each y & 

|{a;eX|/(x)=y}| = l^. (2) 

With the concept of group actions we now have all the ingredients to recall the 
notion of group action perfect nonlinearity (see [10]). 

Definition 1. Let G be a finite group that acts faithfully on a finite nonempty 
set X. Let ff be a finite group (written additively). A function f : X ^ H 
is called perfect nonlinear (by respect to the action of G on X) or G-perfect 
nonlinear if for each a £ G*, the derivative of f in direction a 

dJ:X^H 

X ^ f{a.x) - f{x) ^ ' 

is balanced or in other words for each a &G* and each p G H, 

|{xeXK/(x)=/3}| = ^. (4) 

As we can see our definition coincides with the classical one (see [2]) in the 
classical situations (G acts on itself by left translation). 



3 Doubly perfect nonlinear Boolean permutations 

In the finite fields settings there are two main natural group actions, namely 
additive and multiplicative translations. The first one is the standard used as 
plaintext and key combination process and has been widely studied in terms of 
(classical) perfect nonlinearity and/or bcntncss. In this contribution we focus on 
the second one: we construct perfect nonlinear functions by respect to multipli- 
cation rather than addition called multiplicatively perfect nonlinear functions. 
Moreover in very particular cases, multiplication can be seen as an addition of 
a new finite field. In this paper we exhibit some perfect nonlinear functions by 
respect to both original and new multiplications called doubly perfect nonlinear 
functions. 



3.1 Multiplicatively perfect nonlinear functions 

Let us begin with a lemma whose proof is a triviality. 

Lemma 1. Let G and H be two finite groups (written multiplicatively). Let A 
be a group homomorphism from G to H . For each (3 S A(G), 



|A-i({/3})| = |kerA| 



(5) 



Let d and m be two nonzero integers. Wc denote by V{p,m,d) any d di- 
mensional vector space over the finite field GF(p'"). We use the same symbols 
"+" (resp. "— ") to denote both additions (resp. substractions) ofV{p,m,d) and 
GF(p'") and a.v is the scalar multiplication of t; G V{p, m, d) hy a G GF(p'"). 

Lemma 2. Let d, e, m, n > Q be any integers. Let X be a group homomorphism 
from {y{p,m,d),+) to {V{p,n,e),+). LetG be a subgroup of the group GF{p'^)* . 
Then for each (3 e \{V{p, to, d)) and for each a e G* , 

|{i;Gy(p,TO,d)|d„A(«)=/?}| = |A-^({/3})| = |kcrA| . (6) 

The proof of the previous lemma is not difficult and thus is not given here. 

Theorem 1. Let d, e, m, n > be any integers such that > e". Let A 
be a group epimorphism^ from {V{p,m,d),+) onto {V{p,n,e),+). Then A is 
GF{p'^)* -perfect nonlinear. 

Proof. Since A is onto, every /3 e V{p,n,e) belong to X{V{p,m,d)). Accord- 
ing to lemma 2 with G — GF(p'")*, for each (3 G V{p,n,e) and for each 
a e GF(p'")** = GF(p'") \ {0,1}, |{^; e V{p,m,d)\do.Xiv) = /3}| = |A-i({/3})| = 
|kerA|. But {A ^{{f3})}pev{p,n,e) is a partition of to, d). Therefore we have 
\V{p,m,d)\ = \^~'m)\ = |kerA||y(p,n,e)|.So|kerA| = = 

/3GV(p,n,e) 

pTud—ne [— ] 

In classical situations it is well-known that if a function / : V{2, to, d) — > 

V{2, n, e) is bent then md is an even integer and md > 2ne. Replacing addi- 
tion by multiplication allows us to find "bent" function even if md is an odd 
integer and/or 2ne > md > ne. When md = ne (and p = 2), almost perfect 
nonlinear (APN) functions are relevant for cryptographic purposes. They are 
defined (see [6]) by the fact that the equation da fix) = (3 with x as an unknown 
has at most two solutions for each a ^ and each /3. The only known examples 
of APN permutations need md to be an odd integer. In our case by construction 
any GF(p™)-linear isomorphism of V{p,m,d) is a GF(p"')*-perfect nonlinear; so 
it is also the case for p = 2 and md an even integer. 



3.2 Doubly perfect nonlinear Boolean permutations 

The group of units GF(p™)* of the finite field GF(p'") can be equipped with 
another multiplication that turns it into a unitary commutative ring. Indeed let 
7 be a primitive root of GF(p'"). The exponential 

e^:(2p,._i,+)^GF(p™)* 
i !->• 7* 

is a group isomorphism (in the remainder we always suppose that such a primi- 
tive root 7 is fixed). We can use it to turn GF(p'")* into a commutative unitary 

^ A group epimorphism is a group homomorphism which is onto. 



(7) 



ring, isomorphic to the ring of modulo — 1 integers, by^ 7' x 7^ = 7*-'. 
We caU such a structure (GF(p™),+,0, ., 1, x,7) a characteristic {p,p"^ — 1) 
field-ring (which means that (GF(p™), +, 0, ., 1) is a characteristic 2 field and 
(GF(p™)*, ., 1, x,7) is a characteristic — 1 ring i.e. 7^ = 1, 7* ^ 1 for 
all < i < p"* - 1) or double-field when (GF(p'")*, ., 1, x,7) is also a field. The 
multiplicative identity of the ring (GF(p™)*, ., 1, x,7) is 7^ =7 and the classi- 
cal rules of distributivity, absorption and associativity take the following forms 
7' x (7^7'^) = (7* x 7-')(7* X 7^^), 1 X 7* = 1, 7* X (7-' X 7*^) = (7* x 7-') x 7*^. 
The group of units of this ring, [/(GF^j™)*), is equal to {7'|z G [/(2pm_i)} = 
{7*|(i,p'" — 1) = 1} (where (i, j) is the greatest common divisor of i and j) and 
if 7* is invertible with respect to x [i.e. 7' is a unit), (7*)"^ = 7" . If i ^ is 
not congruent with 1 modulo — 1, then it is a zero divisor in Zp™_i: it exists 
j G such that ij = 0, therefore 7* is itself a zero divisor'^ in GF(p™)* 

because 7* x 7^ = 7'-^ = 7O = 1. This ring is an integral domain if and only if 
(2pm_i, +, 0, ., 1) is itself an integral domain or equivalently a (finite) field. So 
(GF(p™)*, ., 1, X, 7) is a finite field if and only if p™ — 1 is a prime integer. If p 
is an odd prime number then the only possible choice is p = 3 and m = 1 (since 
3^ — 1 = 2) because in the other case — 1 > 2 and is even. The following 
lemma gives a constraint on m when p = 2. 

Lemma 3. Let k € IN*, fc > 1. Let m € IN*. If m is not a prime integer then 
so is fc™ — 1. 

Proof. Suppose that m = rs where both r and s are integers greater or equal to 

s 

2. We will prove that k'^^ — 1 = {k'^ — 1) by induction on the integer 

i=l 

S. 

lis = 2 then - I = {k'' - !){¥' + 1). 

Let s S IN* such that s>2. Suppose that for all integer I such that 1 < Z < s, 

; s+i 
A;--' - 1 = (A;'- - 1) ^ fc'-e-') . Let us prove that - 1 = (fc'' - 1) ^ k'''^s+i-i) _ 

i=l i=l 

We have 



= ^ik""^ - 1) + (fc'' - 1) 

S 

= k'-{k'- - 1) XI '^''^'"'^ + ('^'^ - 1) (by induction hypothesis) 
1=1 



(8) 



= (F-1) [ XA;''(''+i-') + 1 

\i=l / 
s+1 

= {k^ -l)^k''^'+^-''^ . 



(9) 



^ More rigorously 7' x 7-' = e~f{e~^ {'y^)e~^ {'^^)) = e-y{ij). In fact any calculation in 

the exponent should be understood modulo p"^ — 1. 
^ More formally we should say a x -divisor of 1. 



□ 



An integer of the form 2^—1 where g' is a prime number is called a Mersenne num- 
ber. When a Mersenne number is itself a prime integer, it is called a Mersenne 
prime^. So given a Mersenne prime p = 2"^ — 1, (GF(2')*, ., 1, x , 7) is isomorphic 
to the prime field (GF(p), +, 0, ., 1) (which is identified with (2p, +, 0, ., 1)) and 
(GF(29), +, 0, ., 1, X , 7) is a characteristic (2,p) double-field {i.e. (GF(2«), +, 0, ., 1) 
is a characteristic 2 field and (GF(25)*, ., 1, x, 7) is a characteristic p field). 

We now characterize the existence of some subgroups of units in rings which 
will be useful in the sequel. 

Lemma 4. Let R he a non-trivial unitary ring' . Then —1 is invertible in R. 

Proof. It is obvious since (— 1)(— 1) = 1. □ 

Lemma 5. Let n > 1. The group of units Ui^n) contains at least one subgroup 
G such that for every i € G* (i.e. i ^ 1 and i £ G), i — 1 € C/(Z„) if and only 
if n is equal to 2 or is an odd integer. 

Proof. If n = 2 then G = 11(2.2) = {1} is a group with the good properties. Let 
suppose that n > 2 is an even integer. Then i belongs to U{'Kn) if and only if 
(i, n) = 1. Therefore i is an odd integer. Then i — 1 is equal to zero or is an even 
integer and it is invertible in none of the two cases. Now let suppose that n is an 
odd integer. Then 2 is invertible modulo n. Since according to lemma 4 (since 
n > 1, 2„ is non-trivial), —1 is a unit, — 2 = 2(— 1) = — 1 — lis also invertible. 
The group G = (—1) = {±1} satisfies the assumptions of the lemma. □ 

We should note that in the particular case where n is a prime number p, 2* = 
U (2p) is such a group G. If n. = 2™ — 1 then n is odd so there is at least one 
subgroup G of 22m_i such that V« e G*, i — l£ Z7(Z2m_i). lip is an odd prime 
then — 1 is an even number. So unless the trivial case p = 3 and m = 1, 
{7(Zpm_i) does not contain any such group G. 

Lemma 6. Let 7* e C/((GF(p™)*, ., 1, x,7)). Then the map 

A^^, :GF(p™)*^GF(p'")* .^q. 

7-' !->• 7* X 7^ . 

is a group automorphism of (GF(p™)*, ., 1). 

Proof. Since x is distributive on ., A^^ is a group endomorphism of (GF(p'")* , ., 1)) 
Let 7-'' such that = 1. This is equivalent to ij = 0. But 7' e U{Gf(p'^)*) so 

i 6 U(2pm_i) and then ij = if and only if j = 0. So 7^ = 7° = 1 and Ay is 
one-to-one also is onto. It is thus an element of Aut {{Gf {p"^)* , ., 1)). □ 

* For instance 3 = 2^ - 1, 5 = 2^ - 1, 31 = 2^ - 1 and 127 = 2^^ - 1 are Mersenne 

prime numbers. 
^ R is not reduced to 0. 



Lemma 7. Let G be a subgroup of {U{GF{p"^)*), x,j). Then G acts faithfully 
(by group automorphism) on (GF(p™)*, ., 1) by p(7*) : 7-' 7* x 7-^. 

Proof. We define 

p:G ^Aut{{GHp"^r,.,l)) 

Y ^ A^, : (7^' ^ 7' X 7J) . ^''> 

(By lemma 6 we already know that for each 7' € G, we have p{Y) = G 
Aut{{GF{p'^)* , ., 1)).) Let's prove that is a group action on GF(p™)*. Let 7* and 
7J be elements of G. Let 7*= e GF(p")*. ^(7' x 7^)(7'=) = p{"f'^){"f'') = 7*^' X7'= = 
^life = 7' X (7^ X 7*^) = (p(7*) o /o(7-'))(7'^). Then p is a group homomorphism 
from G to Aut {Gf {p''")* , 1)). Finally let 7' e G such that ^(7') = Idcp^p'ny. 
For any fc G 7**^ = 7*^. So ik = k and in particular il = 1, therefore 

i = 1 and 7* = 7^ = 7. We deduce that p is one-to-one and the action is thus 
faithful. □ 

Definition 2. Let G be a group and X be any (nonempty) set. The restriction 
to G* of a map / : G — > X is denoted /* . 

Theorem 2. Let m G IN* such that m > 1. Let G be a subgroup of U{Z.2"^-i) 

such thai for each i G G*, i — 1 G [/(22m.-i) (such a group exists according to 
lemma 5 since 2™ — 1 > 1 by assumption and is an odd number). Let X be a field 
automorphism from GF(2'") to itself. Then we have 

1. A is {GF {2"^)*,., 1) -perfect nonlmear from GF(2™) to GF(2™); 

2. A* is {'y'~',x,j) -perfect nonlinear from GF(2'")* to GF(2'")* where = 
e,{G). 

Proof. 1. This result is clear by applying theorem 1 with GF(2'") considered as 

a onc-dimcnsional vectors space over itself: 
2. Since 7*^ = e^(G), 7*^ is a subgroup of the group of units of GF(2'")*. 
By lemma 7, 7'' acts faithfully on GF(2'")* by group automorphism. Be- 
cause A is a field homomorphism, A(GF(2"')*) C GF(2'")* and therefore 
A* : GF(2'")* — > GF(2'")* is a group homomorphism. Moreover A* is onto. 
Indeed for y e GF(2™)* there is x G GF(2'") such that A(x) = y. Since yj^O, 
X =/= and therefore A*(x) = y. So A* is a group cpimorphism (and then a 
group automorphism). Let /3 G GF(2")* = A(GF(2'")*). Let Y e (7*^)* (so 
i + 1). Let's prove that {7^ G GF(2'")*|d^.A*(7^) = /3} = 7I x \-^{{f\). 
We have 

^ A*(7'xy) _ 
A*(7^-) ^ 



(7' X 7-') 

A( -. ) = fi (because A is a field homomorphism) 

^A((7' X7^-)(7-^-)) =^ 

^A((y x_7^-)(7-ix7^-))=/3 

O A((7*7~-^) X 7-') = /3 (by distributivity) 

^ A(7'-i X 7J) = ^ 

<^7'-ix7^' e A-i ({/?}) . 



(12) 



Since 7* G il'^)* ^ i G G* and by assumption on G, i — 1 is invcrt- 
ible modulo 2" - 1. Then 7*"! e I7(GF(2'")*). According to lemma 6, 
A^_i G ^M<((GF(^™)*,.,i)). Therefore 7*-^ x 7^' e A-i({/3}) <^ 7^' e 

(A^^i-i)-^ (A-H{/3})) = 7* X A-i({^})- Since A^^ is a permutation 

we have \X~\{(3})\ = x \-^{{l3})\. Because ^ G GF(p'")*, we have 

A-i({^}) = (A*)'i({„5}) and by lemma 1, wc deduce that |7^ xA"! ({/?}) | = 
|(A*)-i({/3})| = |kerA*| with kcrA* = {x e GF(2'")* |A*(x) = 1} = {x G 
GF(2™)*|A(a;) = 1}. In addition {A-H{/3})};3eGF(p".)* is a partition of GF (2™)* 
Therefore we have 

|GF(2'"r|= |A-^(/3)| = |kerA*||GF(2'")*| . (13) 

/3eGF(2"')* 

Then for each 7' G (7*^)* (or equivalently for each i e. G*) and for each 
13 G GF(2")*, |{7^' G GF(2'")*|dyA*(7^) = = |ker A*| = 1. 

□ 

Definition 3. Let p = 2'^' — 1 be a Mersenne prime number. A function / : 
GF(2«) GF(2«) such that /(a) ^ for all invertible a G GF(29) is called 
doubly perfect nonlinear if 

1. / is (GF(2«)*, ., l)-perfect nonlinear from GF(29) to itself; 

2. /* is (GF(2«)**, x,7)-perfect nonlinear from GF(2«)* to itself. 

Since the group of field automorphisms of a finite field GF(p™) is identical to 

the Galois group of the degree m extension Gf{p"^) over its prime field which is 
a cyclic group generated by the Frobenius automorphism 

: GF(p-) ^ GF(p-) 
X ^ xP ^ ^ 

every field automorphism A can be written as J^p for one r such that < r < 
m — 1. We now give a nice result that asserts the existence of a Boolean permu- 
tation over GF(2''), where p = 2^ — 1 is a Mersenne prime, which is merely both 
(GF(25)*, ., 1) and (GF(25)**, x,7)-perfect nonlinear i.e. doubly perfect nonlin- 
ear. 

Theorem 3. Let p — 2'^ — 1 be a Mersenne prime number. Let A = J-J (for any 
0<r<q — l)bea field automorphism of GF(2'). Then X is a doubly perfect 
nonlinear permutation. 

Proof. Because p = 2' — 1 is a prime number, GF(2'')* is isomorphic to the field 
GF{p) = 2p. Therefore we can choose G = 2* as a group such that for each 
i € G*, i-1 is invertible modulo p. Then 7'= = U{Gf(2'')*) = GF(2«)** = 
GF(2'') \ {0, 1}. According to theorem 2, A is (GF(2')*, ., l)-perfect nonlinear and 
A* is (GF(29)**, x,7)-perfect nonlinear. □ 
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